Krebs on Security

In-depth security news and investigation

Brute Force Attacks Build WordPress Botnet

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

“As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant. “This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.”

That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses.

Also, WordPress users can take advantage of a third-party plugin from Duo Security, which enables secure logins using one-time codes pushed via text message or an associated mobile app.

Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote.

Daniel Cid, chief technology officer of Sucuri Security, a company that helps site owners prevent and recover from security breaches, said his team isn’t seeing infected sites being used to attack others; according to Cid, most of the password brute-forcing is being conducted by desktop systems under the attackers’ control.

“We saw a big increase in the number of brute force attacks (almost tripled) since previous month’s average,” Cid wrote in an instant message interview. “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including the Blackhole Exploit Kit. Cid also shared a copy of the username/password list that the attackers have been using for the brute-forcing.

“The brute force attacks do not seem to be coming from servers, but from desktops,” Cid said. “However, this is still very early, since they are injecting backdoors (a variation of the Filesman backdoor) they can later use the sites to inject malware or even create a botnet and brute force other sites.”

According to Sucuri, WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections:

– Log in to the administrative panel and remove any unfamiliar admin users.

– Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time).

This entry was posted on Friday, April 12th, 2013 at 2:32 pm and is filed under Latest Warnings, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

68 comments

I’ve had good experience using Wordfence and implementing things like Country blocking. I have not seen any noticeable uptick in attacks over the past few weeks. I also rename my admin accounts during the post install configuration using my hardening cheat sheet, and use a password manager to create 30+ char impossible to remember passwords. I also self host all of my WordPress instances on multiple vps servers spread around the country, which may be keeping me under the radar. So far so good.
Beware of stale security plugins.
Just another note on WordPress security plugins – before I settled on Wordfence I did a survey of all I could find referencing lots of WordPress security type blogs and articles. What I found was that many of the popular plugins cited were outdated by several versions and not supported under the current version of WordPress. So before you break your site by installing a stale, poorly supported plugin, be sure to read the compatibility information on the plugin page, and always test it on a non production server first. Key WordPress compatibility information on a plugin page:
“Requires: 3.3.1 or higher
Compatible up to: 3.5.1
Last Updated: 2013-3-21” (shows under active development)
This topic could go on and on, but hopefully a lesson learned for many who have decided to use WordPress.

I have already figured this method out 100% and know of it. I actually gave a speech on this and tried to explain and to be able to give a complete fix to prevent this.
People think this is a ddos method they getting from regular botnet. Is a common mistake.

Just thought to mention that there is now a Google Authenticator Plugin for WordPress. You can enable (or disable) it per user (admin, editor, etc). This, together with strong password and a strong user name will go a long way to securing the back end.

Also make sure that Wordfence (or equivalent) is set up to lock out unauthorized logins.

Thanks for all your good work. I particularly enjoyed your dialogue with Leo and Steve.

Someone above mentioned the Google Authenticator plugin for WordPress. This is an optimal solution. WordPress gains an extra field for a security code, which is generate by an app running on a mobile device. The code expires every minute. I’ve written a blog post about it with full instructions: http://www.youarekidding.me/2013/04/google-authenticator-plugin/

I was not aware of what the term brute force attack means but now thing are a lot clearer. Having a efficient firewall and other type of security plug-ins and programs definitely help. Furthermore, I have always believed the password should be a little bit more complicated so it woudl be harder to crack . That is common sense. You should not use a simple password. Never. Cheers and thanks for sharing this with us.

I don’t understand the mentality of people who do these things. Never have and frankly, I don’t want to.

I really appreciate the plugin suggestions in addition to the limit logins. I would like to have security that runs in the background and only needs some occasionally monitoring. I know its important, I just don’t want to spend all my online time defending instead of creating.

My WP based site was one of the hacked sites a couple of weeks ago. Though I never use common username & password, they still managed to hack my site.

I’ve asked my hosting company to reinstall WP from scratch, but it doesn’t work. In fact now it’s been the 3rd time within 2 weeks that I still can’t work on my WP. Now I can’t even login to wp-admin, either by asking password or through phpMyAdmin (cpanel).

I have no idea how to remove this ‘back door’ seeded into my (root directory, may be?) or my website.

I consider just dump this troubled site & buy a new one. But what if the new one is also attacked?

It’s more vital than in the past to protect WordPress websites, otherwise there’s the chance that they may possibly be turned into used for criminal activities.

I already had safety measures set up to prevent brute force penetration but after seeing well over 10K tries to login into my blog in recent days I decided that regardless of whether they failed it wouldn’t hurt having even tighter security.

As someone who is looking to go into this field I found it interesting that brute force attacks could cause quite the impact on the target. I wouldn’t have known that it could not only harm the severs, but also increase the attack making it even stronger. I do believe that having more methods of preventing things such as this, like having more complicated passwords would help tremendously as Christine mentioned.